MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24846b5909d31e83e7b2f74cbc95f403d51b8377aca1b7e0184408b6d1670dca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24846b5909d31e83e7b2f74cbc95f403d51b8377aca1b7e0184408b6d1670dca
SHA3-384 hash: 97a46341fef28f2894ff9553d0ed6ae740c577a021f8a7e7ba55b0c10861a6c208ad41c81e72016d7980367789b962d9
SHA1 hash: 867d8197b4147618e1fc207853b522a164faba1e
MD5 hash: 1233d19b0789a7c1287925828918d44f
humanhash: stream-december-hydrogen-moon
File name:NR52.vbs
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:277 bytes
First seen:2021-04-01 07:15:53 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 6:ZDlzq9NqlqDG3uHarRRel1Eab3WDse0FXezmSF5Ld:LzqaIDGuqRRMEaefgXezFX
Threatray 923 similar samples on MalwareBazaar
TLSH 94D02B92516FB410384BB59104DD60C8F7516F571234ACFA08B06C9486185101E15123
Reporter abuse_ch
Tags:AsyncRAT vbs


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: odedi91204.mywhc.ca
Sending IP: 67.215.4.243
From: BillLatitude <ProBill-id3344495@domain.com>
Subject: from invoice payment#334449
Attachment: NR52.ISO (contains "NR52.vbs")

Intelligence

File Origin
# of uploads :
1
# of downloads :
306
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/130492/
Detection(s):
SecuriteInfo.com.VBS.Downloader.yg.9067.23778.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file
Running batch commands
Sending an HTTP GET request
Deleting a recently created file
Using the Windows Management Instrumentation requests
Modifying a system file
Replacing files
Launching a service
Creating a process from a recently created file
Downloading the file
Creating a file in the %temp% directory
Blocking the Windows Defender launch
Result
Verdict:
SUSPICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/661769
Signature
Bypasses PowerShell execution policy
Creates an undocumented autostart registry key
Drops PE files to the user root directory
Encrypted powershell cmdline option found
Powershell creates an autostart link
Powershell drops PE file
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Program Location Process Starts
Suspicious powershell command line found
Tries to download and execute files (via powershell)
VBScript performs obfuscated calls to suspicious functions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected MSILLoadEncryptedAssembly
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 379818 Sample: NR52.vbs Startdate: 01/04/2021 Architecture: WINDOWS Score: 100 71 prda.aadg.msidentity.com 2->71 73 newss.myq-see.com 2->73 91 Yara detected Powershell download and execute 2->91 93 Yara detected AntiVM3 2->93 95 Sigma detected: Suspicious Program Location Process Starts 2->95 97 4 other signatures 2->97 11 wscript.exe 1 2->11         started        signatures3 process4 signatures5 109 VBScript performs obfuscated calls to suspicious functions 11->109 111 Wscript starts Powershell (via cmd or directly) 11->111 14 powershell.exe 9 11->14         started        process6 signatures7 113 Encrypted powershell cmdline option found 14->113 115 Drops PE files to the user root directory 14->115 117 Powershell creates an autostart link 14->117 119 Powershell drops PE file 14->119 17 powershell.exe 14->17         started        19 mshta.exe 14->19         started        23 conhost.exe 14->23         started        process8 dnsIp9 25 cmd.exe 17->25         started        28 conhost.exe 17->28         started        77 archive.org 207.241.224.2, 443, 49727, 49729 INTERNET-ARCHIVEUS United States 19->77 79 ia801509.us.archive.org 207.241.228.159, 443, 49728 INTERNET-ARCHIVEUS United States 19->79 61 C:\Users\user\AppData\...\chrome3[1].txt, HTML 19->61 dropped 30 powershell.exe 19->30         started        file10 process11 dnsIp12 99 Suspicious powershell command line found 25->99 101 Wscript starts Powershell (via cmd or directly) 25->101 103 Tries to download and execute files (via powershell) 25->103 105 Bypasses PowerShell execution policy 25->105 34 powershell.exe 25->34         started        38 powershell.exe 25->38         started        40 powershell.exe 25->40         started        46 3 other processes 25->46 81 ia801400.us.archive.org 207.241.228.140, 443, 49742 INTERNET-ARCHIVEUS United States 30->81 83 ia801402.us.archive.org 207.241.228.142, 443, 49765 INTERNET-ARCHIVEUS United States 30->83 85 6 other IPs or domains 30->85 63 PowerShell_transcr....20210401092206.txt, UTF-8 30->63 dropped 65 C:\Users\Public\Run\Microsoft.lnk, MS 30->65 dropped 67 C:\Users\Public\Microsoft.ps1, ASCII 30->67 dropped 69 C:\Users\Public\Chrome.vbs, ASCII 30->69 dropped 107 Creates an undocumented autostart registry key 30->107 42 powershell.exe 30->42         started        44 conhost.exe 30->44         started        file13 signatures14 process15 dnsIp16 75 gamecardsy.com 148.251.248.121, 49745, 49746, 49754 HETZNER-ASDE Germany 34->75 51 C:\Users\Public\DefenderControl.exe, PE32 34->51 dropped 53 C:\Users\Public\DefenderKill.lnk, MS 38->53 dropped 55 C:\Users\Public\Defender.bat, ASCII 40->55 dropped 48 wscript.exe 42->48         started        57 C:\Users\Public\ff.ps1, ASCII 46->57 dropped 59 C:\Users\Public\DefenderControl.ini, Little-endian 46->59 dropped file17 process18 signatures19 87 Wscript starts Powershell (via cmd or directly) 48->87 89 Encrypted powershell cmdline option found 48->89
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/24846b5909d31e83e7b2f74cbc95f403d51b8377aca1b7e0184408b6d1670dca/
Threat name:
Script-WScript.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-04-01 07:16:09 UTC
AV detection:
4 of 47 (8.51%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=escgwwij2mpihz5s65glzfpuapkrxa3xvsq3pyayiqelnulhbxfa._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
2c8c5c5e5990da4a2af218cfece6afda3f4830be6605b9767adbfbde2e5cd276
AsyncRAT
37b842cb5ad7a0ce19bd735e14bfd35f2d0708d396dbdf56b32c79448bbbef3a
AsyncRAT
580b46d3c66531c7398e60857e6d5177d500d75cc802ded85965e0c2a09e255c
AsyncRAT
73ffaa868244eb4bcee7027ce57d30e604dda4dcda00fcfcbfb43103909ea52b
AsyncRAT
7fa47492c2377042d9b56f5d81c5e342aced8f51ca4237c9cd228d9b13b3bca5
AsyncRAT
867eb496d9f6122024560c00e0a2fde238fed90558dd0b4b838047c8eed8196c
AsyncRAT
86b22d8497ac1df55b76bddca6c021ec4b9995b00caea5effeeffe4e9f592e44
AsyncRAT
8dd3b9fb0158903433d23f879d07820b8110a4b6417f3deda72342c2f698384e
AsyncRAT
b5c98bb2d9391ffb93eea1ff796c1c924493c8e58160278c4ffe7ed3ba234ed2
AsyncRAT
bcfcc5a278671fbe1b5f5f27c6d61921add83e57a0c61f80a165455b3fe0875a
AsyncRAT
+ 913 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat evasion rat trojan
Link:
https://tria.ge/reports/210401-fre32f13fn/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Windows security modification
Blocklisted process makes network request
Executes dropped EXE
Async RAT payload
AsyncRat
Modifies security service
Malware Config
C2 Extraction:
newss.myq-see.com:1177
Dropper Extraction:
http://gamecardsy.com/ahmadtestupl/DefenderControl.exe
http://gamecardsy.com/ahmadtestupl/DefenderKill.txt
http://gamecardsy.com/ahmadtestupl/Defender.bat
http://gamecardsy.com/ahmadtestupl/DefenderControl.txt
http://gamecardsy.com/ahmadtestupl/ff.ps1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/24846b5909d31e83e7b2f74cbc95f403d51b8377aca1b7e0184408b6d1670dca

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

iso f395aa4932b927d99775a9b51dce52bc656e16d85cef28ca2e581be6d6bba253

AsyncRAT

Visual Basic Script (vbs) vbs 24846b5909d31e83e7b2f74cbc95f403d51b8377aca1b7e0184408b6d1670dca

(this sample)

  
Dropped by
MD5 7feab84d56fdc64194f2399a38e41f5b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/130492/
  
Dropped by
SHA256 f395aa4932b927d99775a9b51dce52bc656e16d85cef28ca2e581be6d6bba253

Comments